August 19, 2002
Mr. Jonathan G. Katz
Securities and Exchange Commission
450 Fifth Street, NW
Washington, D.C. 20549-0609
Certification of Disclosure in Companies' Quarterly and Annual Reports
(Release Nos. 34-46079; 34-46300)
Commission File No. S7-21-02
Dear Mr. Katz:
We are pleased to comment on the proposed rules requiring a company's principal executive officer and principal financial officer to certify the company's quarterly and annual reports.
The Securities and Exchange Commission ("SEC") is obligated under Section 302, "Corporate Responsibility for Financial Reports," of the Sarbanes-Oxley Act of 2002 (the "Act") to adopt rules to implement management certification in periodic reports by August 29, 2002. However, the scope of the certification requirements under Section 302 exceeds that originally proposed by the SEC in June, particularly with respect to certification of internal control matters. Although the statute requires that rules must be "effective" by August 29, 2002, we do not believe that Congress sought to prevent the Commission from adopting phase-in or transition periods that would facilitate an orderly implementation of the new requirements, in particular the management certification related to internal control matters. In our view, management certification regarding internal control matters should be implemented in tandem with the internal control reporting required by Section 404, "Management Assessment of Internal Controls," of the Act. As discussed below, there are significant practical issues to be addressed before management certification about internal control matters can be implemented in an orderly fashion. In the meantime, we believe that the other aspects of the required management certification could become effective immediately.
Section 302(a)(4)(D) of the Act requires signing officers to certify that they have presented in the periodic report "their conclusions about the effectiveness of their internal controls based on their evaluation." This aspect of management's certification is closely related to the requirement of Section 404(a)(2) of the Act, which separately requires that annual reports include a report from management on internal controls that contains an assessment "of the effectiveness of the internal control structure and procedures of the issuer for financial reporting." In addition, Section 404(b) will require the issuer's registered public accounting firm to attest to the assessment made by management. In our view, it is clear that standards will need to be developed and implemented to establish a sufficient basis for management's assessment of the "effectiveness" of internal controls in order to ensure consistent practice and interpretation. In addition, the form of management's required report will need to be promulgated. Until these standards are established in order to implement Section 404 of the Act, we do not believe that the principal executive and financial officers would be able to provide a certification regarding internal controls on a basis that would be subject to consistent interpretation and application.
Similarly, other aspects of the Section 302 certification regarding internal control matters are dependent on the resolution of certain definitional questions, as discussed further below, and the development of related interpretive and implementation guidance. In our view, the SEC should resolve these definitional questions with the input of affected parties in a timely, deliberate manner before the effective date of required management certifications on internal control matters. We recommend that the SEC propose resolution to these questions as part of the rules it will need to propose to implement Section 404 of the Act. In addition, constituents to the internal control reporting process will need time to prepare for implementation (e.g., develop methodologies, guidance and tools, as well as train personnel).
The statute requires only that the rules "shall be effective not later than 30 days after the date of this Act." As the Court of Appeals for the District of Columbia Circuit has held, "`[t]ake effect' is a phrase whose meaning varies considerably with context."1 Courts, therefore, will defer to any reasonable interpretation of "effectiveness" language that is adopted by an agency entrusted with administering the statute.2 Exercising this authority, agencies have understood that a Congressional directive to make a statute "effective" by a particular date does not require that a statutory scheme be fully implemented by that date. On the contrary, "`[e]ffectiveness' language is frequently used by Congress to connote legal effectiveness, not results."3
Against this backdrop, it seems clear that the Commission possesses the authority to delay or phase in implementation of the certification rules it promulgates pursuant to Section 302 of the Act. Such gradual implementation seems particularly appropriate with respect to the certifications regarding internal controls, Section 302(a)(4)-(a)(6), which as discussed above would be difficult or even impossible to implement immediately.4
In the circumstances, we believe that an orderly transition of the certification as to internal control matters would be consistent with the interests of investors and the capital markets. Requiring management certifications about internal control matters before an adequate framework has been established could result in unnecessary costs, inefficiencies and potentially significant inconsistencies, both among registrants and with the ultimately adopted framework for internal control evaluations and reports. Accordingly, we believe the SEC could make the basic elements of the management certification (i.e., Section 302(a)(1-3)) effective immediately. However, we believe that the internal control representations of the management certification (i.e., Section 302(a)(4-6)) should become effective at the same time as the internal control reporting required under Section 404.
Section 302 of the Act uses various terms that will require common definition in order for the related management certifications to be consistent and comparable. Specifically, the terms "internal controls," "material weakness" and "significant deficiency" must be defined and interpreted in order for the related management certifications to be made consistently and reliably.
Section 302(a)(4)(A) of the Act requires the officers to certify that they are responsible for establishing and maintaining "internal controls." Section 302(a)(4)(B) of the Act requires the officers to certify that they have designed "such internal controls to ensure that material information relating to the issuer and its consolidated subsidiaries is made known to such officers by others within those entities, particularly during the period in which the periodic reports are prepared." Section 302(a)(5) of the Act requires the officers to certify that they have disclosed to the auditor and the audit committee "all significant deficiencies in the design and operation of internal controls which could adversely affect the issuer's ability to record, process, summarize and report financial data." Section 404 of the Act requires the SEC to adopt rules requiring an annual report that it is management's responsibility for establishing and maintaining "an adequate internal control structure and procedures for financial reporting."
In order to define "internal controls" for purposes of both Section 302 and Section 404, the SEC should consider the various definitions of internal control currently used in practice. Both Generally Accepted Auditing Standard (GAAS) AU Section 319 and the Committee of Sponsoring Organizations (COSO) define internal control as "a process, effected by an entity's board of directors, management and other personnel, designed to provide reasonable assurance regarding the achievement of objectives in the following categories: a) reliability of financial reporting, b) effectiveness and efficiency of operations, and c) compliance with applicable laws and regulations." For purposes of Section 302 and Section 404, it must be unambiguous whether "internal control" encompasses all three of these objectives or only the reliability of financial reporting.
In addition, the SEC must consider existing definitions of internal control under federal securities laws and regulations. For example, Section 13(b)(2)(B) of the Securities Exchange Act of 1934 (the "Exchange Act") requires registrants to "devise and maintain a system of internal accounting controls sufficient to provide reasonable assurances that (i) transactions are executed in accordance with management's general or specific authorization; (ii) transactions are recorded as necessary (I) to permit preparation of financial statements in conformity with generally accepted accounting principles or any other criteria applicable to such statements, and (II) to maintain accountability for assets; (iii) access to assets is permitted only in accordance with management's general or specific authorization; and (iv) the recorded accountability for assets is compared with the existing assets at reasonable intervals and appropriate action is taken with respect to any differences." Again, absent clarification, it would be uncertain whether the scope of "internal control" for purposes of the management certification would encompass all of these objectives or only the recording of transactions sufficient to permit the preparation of financial statements that comply with generally accepted accounting principles.
As a practical matter, for both clarity and consistency, we recommend that there be a common definition of internal control for purposes of the various requirements of Section 302 and Section 404. Given that Section 404 contemplates auditor attestation to management's assertions about the effectiveness of internal control, we recommend that "internal control" be defined as the issuer's internal control over financial reporting, as contemplated by AT 501, Reporting on an Entity's Internal Control Over Financial Reporting, of the AICPA's Attestation Standards. We believe that such a definition of internal control would be consistent with the legislative history that gave rise to these provisions of the Act.
In addition, the SEC will need to adopt definitions of "material weakness" and "significant deficiency." Section 302(a)(5) of the Act requires the officers to certify that they have disclosed to the auditor and the audit committee all "significant deficiencies" in the design and operation of internal controls which could adversely affect the issuer's ability to record, process, summarize and report financial data, as well as any "material weaknesses" in internal control. The term "material weakness" has a definition in generally accepted auditing standards that is widely accepted and understood. Accordingly, we recommend that the SEC adopt that definition for purposes of the Section 302 management certification. That is, a material weakness in internal control would be a deficiency "in which the design or operation of one or more of the internal control components does not reduce to a relatively low level the risk that misstatements caused by error or fraud in amounts that would be material in relation to the financial statements may occur and not be detected within a timely period by employees in the normal course of performing their assigned functions."
Section 302(a)(5) uses the term "significant deficiency" in a manner similar to the term "reportable condition" under AU Section 325. Under GAAS, reportable conditions are defined as "significant deficiencies in the design or operation of the internal control that, in the auditor's judgment, could adversely affect the organization's ability to initiate, record, process, and report financial data consistent with the assertions of management in the financial statements." However, AU 325 makes clear that in making judgments about whether internal control matters are reportable conditions "the auditor should take into consideration various factors relating to the entity, such as its size, complexity and diversity of activities, organizational structure, and ownership characteristics." Similarly, we believe that officers will need additional guidance in making judgments as to the identification of "significant deficiencies" in internal control for purposes of their certification.
Given that the management reporting on internal control is an annual requirement under Section 404, it would appear that the related management certification under Section 302(a)(4)(C) and (D) also should be an annual, rather than quarterly, certification. In our view, the comprehensive evaluation of internal control on a quarterly basis could be a particularly onerous and unnecessary undertaking. Accordingly, we suggest that the SEC exercise discretion in interpreting the Act and specify that the aspects of the management certification required by Section 302(a)(4)(C) and (D) be provided only in annual reports. We note that the certifications provided in response to Section 302(a)(6) of the Act would provide appropriate disclosures in interim periods about significant changes in internal controls. We also note that the management certification originally proposed by the SEC would have required only an annual certification as to the evaluation of the effectiveness of the design and operation of the issuer's procedures for SEC reporting compliance.
Section 302(a)(4)(C) requires the signing officers to certify that they have evaluated the effectiveness of the issuer's internal controls as of a date "within 90 days prior to the report." We believe that the date of the annual evaluation pursuant to the Section 302 certification should be the same date as the Section 404 internal control reporting date; in other words, "as of the end of the most recent fiscal year," rather than a date "within 90 days prior to the report." If the SEC requires quarterly evaluations under Section 302, the SEC should clarify whether the evaluations other than at year-end are to be performed as of quarter-end or may be performed as of an earlier or later date. Under the current wording, it is unclear whether such determination should be made by reference to the end of the period covered by the report, the date the report was filed, or the due date of the report.
Internal Controls for SEC Reporting
The original proposed rule (Release No. 34-46079) would have required companies to maintain sufficient procedures to provide "reasonable assurances that the company is able to collect, process and disclose, within the time periods specified in our rules and forms, the information including non-financial information, required to be disclosed in their periodic and current reports." The Act did not impose a similar provision, although we note that Section 302(a)(4)(B) requires the principal officers to certify that internal controls ensure that material information is made known to the officers, particularly during preparation of annual and quarterly reports. We agree that issuers should have in place adequate controls to ensure that their periodic reports are in compliance with SEC requirements, and we encourage the SEC to adopt its proposed requirement. We note that such a system of controls is a condition to qualify for the proposed safe harbor, with which we agree, for a delinquent filing under the SEC's proposed Form 8-K amendments.
As proposed by the SEC, the issuer would be required, within the 12-month period before the filing of its annual report on Form 10-K or 10-KSB, to conduct an evaluation, under the supervision of management, of the effectiveness of the design and operation of the procedures for SEC reporting compliance. The proposed rules also would require the CEO, CFO, and the board of directors to review the results of that evaluation. We agree that periodic evaluations of the compliance system should be performed, similar to the annual evaluation of other aspects of internal control. However, we do not believe that the SEC should specify any particular procedures for conducting the annual evaluation at this time. Similarly, we do not believe that the SEC should require issuers to establish a formal management committee to identify and consider disclosure issues. We agree that, in light of a similar certification under Section 302 regarding the evaluation of internal control, the principal officers should certify annually that they have evaluated the effectiveness of the procedures for SEC reporting compliance. However, we do not believe that directors or audit committee members should be required to certify that they have reviewed the results of the annual evaluation. Instead, companies should have discretion as to whether oversight of the system for SEC reporting compliance is a responsibility of the audit committee, another committee of the board, or the full board of directors. Finally, we believe that the effective date of any rules formally requiring issuers to establish sufficient procedures for SEC reporting compliance, and the annual evaluation thereof, should be deferred to allow issuers sufficient time to assure compliance and prepare for implementation.
Registered Investment Companies
The management certification specified in Section 302 of the Act must be provided by companies filing periodic reports under Section 13(a) of 15(d) of the Exchange Act, which would include registered investment companies that file reports on Form N-SAR (semiannually for registered investment companies and annually for registered Unit Investment Trusts). However, financial statements are not required to be included in Form N-SAR. Instead, Rule 30d-1 of the Investment Company Act of 1940 (the "1940 Act") requires that, at least semiannually, reports containing financial statements be provided to shareholders. Rule 30b2-1 of the 1940 Act requires such reports to shareholders be filed with the Commission, which is accomplished using electronic submission N-30D. In light of the form and content of reports on Form N-SAR, we do not believe that a management certification should be provided with respect to, or as part of, that report. Instead, we believe that the management certification would more appropriately apply to, and be provided with, the reports to shareholders.
Most management investment companies rely upon third parties to maintain their books and records. As a result, many do not have a chief executive and chief financial officer as contemplated by the Act. We recommend that the SEC provide guidance on who should perform the management certification, such as the President of the Board of Directors/Trustees, Treasurer, and/or an executive officer of a third party administrator that maintains the fund's books and records.
With respect to internal control matters, Item 77B of Form N-SAR requires that annually, the "management investment company shall furnish a report of its independent public accountant on the company's system of internal controls. The accountant's report shall be based on the review, study and evaluation of the accounting system, internal accounting controls, and procedures for safeguarding securities made during the audit of the financial statements. The report should disclose material weaknesses in the accounting system, system of internal accounting control and procedures for safeguarding securities which exist as of the end of the registrant's fiscal year." Based on this requirement, the current format of the accountant's report does not attest to assertions about the company's internal controls. Instead, the report only addresses whether or not any material weaknesses were identified.
Section 405 of the Act, "Exemptions," exempts investment companies from the internal control reporting requirements of Section 404. However, in connection with the implementation of the requirements of Section 404, we recommend that the SEC reconsider the requirements of Item 77B of Form N-SAR. We are concerned that investors may not fully appreciate the distinctions between the material weaknesses report rendered under Item 77B and the broader auditor attestation regarding internal controls that will be required for other issuers in response to Section 404. Moreover, given the exemption provided to investment companies in Section 405 of the Act from the internal control reporting requirements of Section 404, we believe that the SEC should consider a similar exemption for investment companies from any management certification as to internal control matters, i.e., Section 302(a)(4)-(a)(6). However, should the SEC conclude otherwise, we believe, for the same reasons discussed above, the effective date of any management certification as to internal control matters also should be deferred for investment companies until such time as standards can be developed for management's evaluation and reporting on internal controls. As indicated previously, we believe that such standards will be developed in connection with the implementation of the internal control reporting requirements of Section 404.
With respect to Business Development Companies ("BDCs"), because BDCs usually file annual and quarterly reports on Form 10-K and Form 10-Q, we would expect BDCs to become subject to the management certification rules and internal control reporting rules required by Section 302 and Section 404, respectively, in the same manner as commercial issuers.
In adopting rules to implement the management certifications required by Section 302, the SEC should reconsider the existing signature requirements of Form 10-K and Form 10-Q. In addition, the SEC should consider the practical implications of management certifications to other Exchange Act filings, including Form 8-K, definitive proxy and information statements, amendments to previously certified reports, and Form 11-K.
Form 10-K and Form 10-Q Signatures: In light of the signed certification of the principal officers that now will be required in each quarterly and annual report, we recommend that the SEC reconsider the current requirements for separate signatures in these reports. We suggest that the signature requirements of annual and quarterly periodic reports be integrated so that the proposed certification language precedes the signatory lines and each officer signs only once, rather than being required separately to sign the certification and the report. If separate signature requirements are retained, we recommend that it be clear what responsibility other signatories to the report are taking. In addition, we believe that any revised rules should permit companies to provide conforming certifications of other officers in addition to the CEO and CFO, if companies voluntarily wish to do so. Also, we suggest that the SEC consider whether it would be appropriate to integrate the management certification provided in response to Section 302 of the Act with that provided under Section 906 of the Act.
Form 8-K: While the management certification required in response to Section 302 of the Act clearly does not apply to reports on Form 8-K, in its original rule proposal the SEC requested comment on whether management certifications should be required in each Form 8-K. In light of the proposed expansion and acceleration of reports on Form 8-K, we do not believe that it would be realistic to expect the CEO and CFO to certify each report on a timely basis. Instead, we recommend that the SEC retain the existing Form 8-K signature requirements.
Definitive Proxy and Information Statements: The SEC's original proposing release requested comment on whether the management certification in the annual report should be considered to cover information required by Part III of Form 10-K, which typically is incorporated by reference from the proxy statement that may be filed at a later date. In our view, a certification, similar to a consent, should not apply to information that will be filed at a later date. Similarly, a management certification should speak as of the date it was made and should not be considered "evergreen." Accordingly, the management certification provided at the filing date of the annual report should not be considered to apply to material that will be incorporated by reference from a future proxy filing. As a result, the SEC should consider whether a separate, specific certification must accompany the proxy material that is incorporated by reference.
Amendments to Form 10-K and Form 10-Q: We agree that a specific form certification should be provided as part of amendments to previously certified quarterly and annual reports.
Form 11-K: Section 302 defines "periodic reports" in a manner that would appear to include annual reports of employee benefit plans on Form 11-K. However, we question whether that was the legislative intent of the Act, as well as the utility of a management certification in such filings. Accordingly, we recommend that the SEC exercise discretion in interpreting the provisions of Section 302 and specify that a management certification is not required in Form 11-K. However, if the SEC concludes otherwise, the SEC rule should clarify whether or not the management certification in a Form 11-K must be provided by the principal officers of the plan sponsor, or perhaps more appropriately, the principal fiduciary or plan administrator.
We believe that the management certifications that will be required as a result of the Act appropriately acknowledge the responsibilities of the senior officers of public companies, and we believe that ongoing management certifications will focus and strengthen the involvement of those officers in the public reporting process. However, we have serious concerns about the orderly implementation of the assessment, reporting and certification of internal control matters that will be required by the Act. We believe that the SEC would be acting well within its regulatory authority, and consistent with the interests of investors and the capital markets, to provide a transition period for the management certifications related to internal control matters. This transition would facilitate an orderly and consistent implementation of all of the new requirements related to internal controls.
* * * * *
We would be pleased to discuss our comments with the Commission or its staff at your convenience.
Very truly yours,
/s/ Ernst & Young LLP
|1||NRDC v. EPA, 22 F.3d 1125, 1138 (D.C. Cir. 1994).|
|2||Id. citing Chevron U.S.A. Inc. v. NRDC, 467 U.S. 837, 843 (1984).|
|3||Id. Thus, in NRDC, the D.C. Circuit upheld the EPA's view that a statutory provision requiring state plans to "take effect" by a prescribed date referred only to the existence of a plan that is legally effective by the prescribed date, not to a plan that was fully implemented and that had achieved the level of pollution reduction that Congress required. NRDC v. EPA, 22 F.3d 1125, 1137-39 (D.C. Cir. 1994). Similarly, in construing a statute requiring certain drinking water regulations to "take effect" within a prescribed time period, the court recognized that "the date upon which a drinking water regulation takes effect under [the statute] would not necessarily be the date upon which the regulation will be implemented or enforced." American Water Works Ass'n v. EPA, 40 F.3d 1266, 1272 (D.C. Cir. 1994) (emphasis added).|
|4||See American Water Works, 40 F.3d at 1272 (given the complexity of rules at issue, it was reasonable for the EPA to interpret the Act in a way that avoided a "hasty implementation and enforcement schedule").|